Alteryx Data Breach Exposes Information On 123 Million American Households

You’ve probably never heard of them, but chances are good they know plenty about you ― including things like your home address, your phone number, your sports interests and whether you’re a “dog enthusiast.”

“They” are an online marketing and analytics firm by the name of Alteryx, and according to a report Tuesday by the cyber risk company UpGuard, they left a database containing sensitive information on 123 million American households unsecured and open to the public.

Chris Vickery, UpGuard’s cyber risk research director, told HuffPost Tuesday he stumbled across the 36-gigabyte database during a routine search of Amazon Web Services’ storage “buckets,” which house data for various companies of all sizes. Anyone with a basic understanding of what keywords to look for and how to sift through vast amounts of data could have done the same, Vickery said.

“I’m not the only person doing this,” he said. “I’m certain there are bad guys doing it as well as good guys.”

As for the data itself: The file contains 123 million rows of data, one for just about every single household in the U.S. at the time of its likely creation in 2013. And each of those households is individually described via 248 specific categories.

In addition to the data listed above (address, phone number, whether you’re a dog or cat person, etc.), other categories include the number of children living in the house, and their age ranges and gender; what types of magazines you subscribe to; your mortgage amount; how old your car is; which causes you donate to; your ethnicity; and plenty more.

Michael Nagle/Bloomberg via Getty Images
Alteryx signage is displayed in front of the New York Stock Exchange during the company's initial public offering, March 24, 2017. The company left personal information describing 123 million U.S. households exposed.

While the database doesn’t include individual names, Vickery said that’s a moot point given everything else it contains.

“It gets down to a level specific enough to be dangerous, although it does not have first [and] last names,” he said. “It’s so simple to look up somebody’s name if you have their address and their phone number.”

Given its personal nature, that information could be used for pretty damaging purposes, like circumventing what’s known as “knowledge-based authentication.”

“When you buy a car these days, or you apply for a loan, or you’re going for a student loan with the government or something, in order to verify who you are, a lot of times you run into knowledge-based authentication,” Vickery explained. “That’s where not only do you have to provide your name, address and Social Security number, but they’ll also ask you, ‘OK, where did you live five years ago, who owns the mortgage to your house’ ― all sorts of bits of data that only you are supposed to know.”

“Databases like this allow bad guys to have that information about large swaths of people,” he said. “So lots of fraud can be committed, even with systems that are designed to be based on personal knowledge.”

"Databases like this allow bad guys to have that information about large swaths of people."Chris Vickery, cyber risk research director, UpGuard

A central component of Alteryx’s database, titled “ConsumerView,” was provided by a company you probably have heard of: Experian. Experian has a database with that exact name that Alteryx incorporates into a license it sells for $38,995 a year.

“This is an Alteryx issue,” Experian said in a statement, noting that the data in question is used often in marketing. “Data security has always been, and always will be, our highest priority. As a matter of security best practices, Experian vets all our clients and mandates robust security measures and controls to secure our data.”

To be clear, Experian isn’t responsible for this particular data breach, though it’s certainly not a stranger to data breaches in general. Experian supplied the data to Alteryx, and Alteryx failed to secure it. (Similarly, Alteryx likely wasn’t at fault for a separate data breach earlier this year that exposed the personal information of almost all of America’s 200 million registered voters. The database in that instance was stored as an Alteryx file type, suggesting it originated with the company, but the blame rests with the Republican data firm that left it open to the public.)

Regardless of who is at fault in this particular circumstance, Vickery said all the companies that compile this type of data need to up their security game.

“I’m a little disappointed that [Alteryx] would just leave it unencrypted out there for anybody, and that Experian would just give them a copy like that,” he said. “Keeping it open and in the clear is just asking for trouble.”

As for the consumers affected by this breach ― which, again, is pretty much every American household ― there isn’t much we can do except push for stronger regulations on the companies that compile this type of data.

“We live in a new age,” he added. “You have to stay vigilant. You have to watch your financial accounts. You can’t just assume you’re not going to be a victim, because the bad guys have the knowledge, the information and the tools these days.”

“It’s more a question of whether or not you’re lucky rather than how protective you’ve been,” he said. “Even if you’ve been very protective of your information, there’s companies like Equifax that have your data. And even though you never gave it to them, they get breached all the time.”